Got accreditation? No, the Department of Health and Human Services has said they don't require it, but if you want a second opinion on your security rule compliance efforts, accreditation organization URAC is here to help. URAC March 10 released a draft set of HIPAA security accreditation standards that it intends to finalize later this year. "The purpose of this accreditation program is to verify that an organization has put in place the necessary infrastructure and implemented necessary processes to comply with the HIPAA security rule," says URAC President and CEO Garry Carneal. The standards were crafted to lay out the principles of the security rule in a way that could be verified through the accreditation, without expanding the scope of the requirements beyond that of the HIPAA security rule, according to URAC. URAC accreditation will last for two years, after which organizations will have to apply for reaccreditation and submit to a URAC review. The organization also offers HIPAA privacy standard accreditation. URAC welcomes public comments on the 17-page draft standards document; comments are due by April 9. To see the standards, go to: www.urac.org/urac.asp?id=89.